Overview

overview

8

Static

static

1

86f757ab1d...d8.exe

windows7-x64

8

86f757ab1d...d8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe

  • Size

    346KB

  • MD5

    0f34cb1f25ba4b48360fd98b7cab5a10

  • SHA1

    93de67f7ac7ebb72b801c7c098bb59f29a7a8fce

  • SHA256

    86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8

  • SHA512

    70b052db42277dd3e743243157fe8c4d1bc40aa32092338f7302ccf0e5bb6ed25c7c71f02afe0ae67744ce43b05378edd3e029be42573cb79abc7d0b4ec27ed0

  • SSDEEP

    6144:ye34e5MvlhNC7JuyKAs8LG9R3HNe76JvML/9c7Cr7Ob+FT:ny+YyXSvi2v2ICvOb+FT

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe
    "C:\Users\Admin\AppData\Local\Temp\86f757ab1d66de240d7f09c93046dfeb8606966ed0c2425e5bb6eb2faf74bfd8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk08.icw"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWow64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk08.icw"
        3⤵
          PID:1004
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1656
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\EditPlus\kk08.icw
      Filesize

      132B

      MD5

      40c90605f008d041bdb6d3897661a87f

      SHA1

      85ab92e38892f62ba34976c39d70654e00e51ac4

      SHA256

      8b2855f3ca90d537a1d83c02b50775fcdb7f9ddf6bda732b6fbced8fe33245a2

      SHA512

      aa7845b6c09765000b658ba4981722d88f5b14586b1d06964d47f5066387ec8454b561573a637519421ca3fcdcca5eb87b3cee6f036dcca248ba07a85dabeae2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2V1XPFAZ.txt
      Filesize

      608B

      MD5

      8471a22b47a835db3c28ff51eb5914cd

      SHA1

      5042850139b27da2042ea469de3482b5e4de0bb9

      SHA256

      0b870bba9ca4f743b25d60947b2ab2a44991493e150ae2a335ce96e17280b09d

      SHA512

      7243e04520ecb56c6f31195be27d3e53f347a7928879c223095e8b24cd1cae7a5723ce26e094ed5b8400206ce03d297b0af6e6397edfb654a199ea6e425b9af4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk08.icw
      Filesize

      840B

      MD5

      41ddc224d14f955662bff57d02108913

      SHA1

      e69c1bebd63bc8c09d689928ec19d747dcfdf02f

      SHA256

      666f0a7db2b319aca3907526928a7eb383c17ce75728b6ac4422dc596a60e489

      SHA512

      a69a3b0094263582d7f2830a8581cef0651fc34b2064bf532cdff456460f961e5255f921f37ccf5620252b31021aa9d2b9eed53ee5aa3baa45295141c14e6ce6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      5be4eb5fdadec491b400154856934411

      SHA1

      08fe0f77953b2f9551f31b866af1979abf17fb76

      SHA256

      4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

      SHA512

      d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nstA45C.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nstA45C.tmp\nsExec.dll
      Filesize

      6KB

      MD5

      acc2b699edfea5bf5aae45aba3a41e96

      SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

      SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

      SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll
      Filesize

      80KB

      MD5

      5be4eb5fdadec491b400154856934411

      SHA1

      08fe0f77953b2f9551f31b866af1979abf17fb76

      SHA256

      4fe92016750ab429662870c03966c4cc0b8f2c9e179daa17a05298d0fb5d4dc8

      SHA512

      d42369fa74df36433b807c025b8214984ba24ca77ab38946664b8b2017f9e5383b83751744c1ffb716206470e832fab72ca24ae8cf2808250af86afef742ce90

      Download Submit

    • memory/1676-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

      Filesize

      8KB

      Download